Identity, Anonymity, and Account Phishing

Where identity goes, trouble follows. Blizzard's Battle.Net has a new identity system, RealID, which is raising a number of security, privacy, and utility concerns as the company prepares to launch two of the most anticipated PC games in years - Starcraft II and Diablo III.

Blizzard's Battle.Net is one of the older(est?) gaming social networks built around some of the most popular PC games of the last decade: Warcraft III, Starcraft, and Diablo II. While I've not been made privy to the service's history, it seems to have grown up in a rather ad hoc fashion. With the impending launch of Starcraft II, Blizzard has redesigned the service and one of its key components is its new identity service - RealID.

Online identity is a tricky problem (I've written over 100 blog entries on the topic) and Jaime Skelton of MMORPG.com has written a great article discussing the issues with Blizzard's service.

The RealID service as currently implemented lacks many of the privacy controls that users have come to expect from a social network - it seems that friends cannot be grouped into different categories for privacy and that it is not possible to play somewhat anonymously (a tricky issue for an online service).

Email addresses are login IDs - a bad idea I've discussed before - and you are identified by your real name to your friends, even if you haven't given that information to them otherwise. While Blizzard has stated that "friends" should only be your "real" friends, the expectation of "friending" online acquaintances has become so accepted that Blizzard's implementation is bound to cause a fair amount of trouble.

There are also some COPPA and child protection issues raised by the service, even if it is not explicitly targeted at children (complying with COPPA is such a good, do-able business strategy, and a legal requirement, there is rarely a sensible reason for not implementing its features even if you don't target kids as customers).

There are a number of other privacy issues as well as security concerns that have been raised by RealID.

Identity services are a key customer service and a major customer service cost - their design and implementation requires careful engineering and thought.

J. Skelton (2010), "Player Perspectives: A Pain in the RealID", http://www.mmorpg.com/showFeature.cfm/loadFeature/4342/page/1

How are we going to solve online identity? Just stop by 7-11.

A number of years ago, I was involved in some discussions about age verification for online gambling. At that time, as with it is today, there are plenty of technology pushers around - trying to sell ID tokens, biometric systems, etc. etc. etc.

My answer was simpler - use convenience stores.

After all, these pervasive, local merchants are the gateway to adulthood.

They sell us alcohol, cigarettes, porn, and lottery tickets.

They are entrusted by the state to verify our identities and our ages.

It would seem New Hampshire has figured this out. The state is beginning to support online lottery games, but the sales are tied to the existing retail infrastructure as players need to go to a lottery retailer, buy a ticket with a unique number, and register online to play (and presumably reverse the process to cash out).

Simple and as secure as anything else anyone has proposed.

And only the beginning for online skill and gambling games.

Know anyone at 7-11?

"New lottery games: A small change", http://www.unionleader.com/article.aspx?headline=New+lottery+games%3A+A+small+change&articleId=0e853e6a-1924-40db-bb54-d78c944c7d79>

"State To Launch Online Gaming Website Next Week", http://www.wmur.com/news/24016014/detail.html

Richard Branson has re-entered the game industry with a tournament game site, Virgin Gaming. The site is supposed to award $1 Million in prizes over the next 12 months and will use existing console games.

(If you've been to PlayNoEvil before, you'll know what's coming next)

First of all, I am a huge fan and fascinated by the potential of skill games as an online business. I think skill games and more advanced gambling games could be the drivers of a new industry.

However, you've got to design for the medium.

Without basic changes, I suspect Virgin Gaming will rapidly join the ranks of failed tournament services.

Pool of Players

Customers are key to a business and a tournament service relies on having many, many players so that the entry fees far outweigh the cost to operate and the prize pool. Most console games are HEAVILY SKILL driven. There are great players and then there are the rest of us. They know it. We know it. In pretty much any sports or FPS or other twitchy game, I know I've lost in the first couple of minutes. Ranking systems somewhat compensate for this, but as seen with Team Fortress 2 and most other online shooters, the best players dominate the game and everyone else quits.

The Illusion of Skill

A 'great' skill game is one where everyone thinks that they are above average. Poker has achieved this. The game is designed so that for virtually every hand there is a way to see to have won when you've lost. Poker is a study in brilliant player choice and information disclosure. The game is strategic, but simple and, because of chance,a player is likely to not go too long without a victory.

Game Duration / Game Sessions

A good tournament service needs to have lots of short game sessions so that players who've lost have a chance to re-enter the tournament or enter another event. If a game takes a long time to lose, players will abandon it rather than try again. Learning opportunities and feedback needs to be fast.

The Dark Side

While Virgin Gaming is using the Xbox Live and Playstation service, there is no strong identity in the system (both services now support pre-paid debit card players), so there is only a weak linkage between an account number and a person. Once a game is played for money, even if there was strong "account identity", there is very weak "player identity" - after all, I could bring in my "ringer" buddy to play on my behalf when real money is on the line.

... and then there is cheating (a problem even on console games).

... and then there is tournament abuse (manipulation of ranking and reputation systems).

... and, of course, the complicated legal issues for these games (skill games are not legal in all US states).

I discuss tournament and ranking abuse, cheating, and identity problems at some length in my book Protecting Games.



I'm looking forward to the day someone gets this right. It will be a true revolution in gaming.

"Virgin Gaming FairPlay Guarantee", http://virgingaming.com/fairplay.html?f=FTR_1F_001

O. Chiang (2010), "Richard Branson Launches Virgin Gaming, An Online Game Tournament Service", http://blogs.forbes.com/velocity/2010/06/15/richard-branson-launches-virgin-gaming-an-online-game-tournament-service/

Square Enix is dealing with a security breach for its MMO Final Fantasy XI. Ir seems that players user names, passwords, and other registration information was disclosed. Based on the description, it looks like a login and registration server was compromised.

Important Notice Regarding your PlayOnline ID(s)

Thank you for your continued support of PlayOnline and FINAL FANTASY XI.

As a result of an attack on our computer network, there is a possibility that information pertaining to some users has been compromised including the PlayOnline ID, PlayOnline password and certain other details obtained during registration. We have taken measures as soon as the attack was detected, and have limited the potential breach of information.

If you have linked your PlayOnline ID to a Square Enix Account, your account will be safe due to the nature of the information possibly breached. Please be assured that sensitive information such as your credit card number has not been compromised.

To prevent any misuse from accounts potentially compromised during this incident, we have changed the PlayOnline password for all those affected. We will be sending the new PlayOnline password to you by regular mail to the address registered in our records. We apologize for the inconvenience, but you will be able to login to PlayOnline using this new password. We have also sent out details on how to reset your password through our Information Center to those with a valid e-mail address, during the early hours of June 4th.

Those who can still login to PlayOnline using their current password are unaffected by the contents of this e-mail.

Please note: Square Enix employees will not ask you for your PlayOnline password regarding this incident. Please remain vigilant of any phishing attempts disguised as correspondence from Square Enix.

Thank you for your understanding, and we again apologize for any inconvenience caused.

"Important Notice Regarding your PlayOnline ID(s)", http://www.playonline.com/ff11us/polnews/news19199.shtml

B. Ashcraft (2010), "Final Fantasy XI Accounts Compromised", http://kotaku.com/5555304/final-fantasy-xi-accounts-compromised

Just change your passwords.

Symantec found a server which appears to be a key part of a botnet which has harvested 44 million user names and passwords for online games:

World of Warcraft - 210.000
Aion - 60,000
PlayNC - 2 million (NCSoft's site-wide account)
Wayi Entertainment - 16 million

Symantec focused on an interesting feature of the botnet - it was used as an illicit cloud computing service to validate the quality of the stolen account information using a trojan program called Trojan.Loginck.

Ah, the Internet and its glorious features.

It was unclear how all of these identities were collected, probably via phishing or purchase.

Needless to say, this did represent a substantial dollar value in stolen accounts... millions and millions of dollars.

"44 Million Stolen Game Accounts Uncovered?", http://www.markeedragon.com/content.php/720-44-Million-Stolen-Game-Accounts-

E. Ward (2010), "44 Million Stolen Gaming Credentials Uncovered", http://www.symantec.com/connect/blogs/44-million-stolen-gaming-credentials-uncovered

Sony's Playstation Network is rather different from Microsoft's Xbox Live in that games are tied to an account instead of a console. PSN players can install a game on up to five consoles. Clever users are "timesharing" games using a single purchase to install games on five consoles and share the game... basically buying a game for 1/5th the price.

Capcom has added a layer of "DRM" to its PSN game, Final Fight. This retro game requires players to login with the account of the person who purchased the game originally in order to play and in order to login, the player has to be connected to the PSN.

So, Capcom is requiring the same continuous connection that is getting Ubisoft in trouble, but on a console instead of a PC.

Account sharing may also be a problem for other online services like Steam.

J. Fletcher (2010), "PS3 Final Fight: Double Impact requires PSN connection", http://www.joystiq.com/2010/04/21/ps3-final-fight-double-impact-requires-psn-connection/

via

" Final Fight Brings Restrictive DRM To the PS3", http://games.slashdot.org/story/10/04/23/0536246/Final-Fight-Brings-Restrictive-DRM-To-the-PS3

"Capcom's Response on the Final Fight DRM", http://boards.ign.com/ps3_general_board/b8267/191330467/p1/

The Fan Site Threat. Its been in the news a bit, but it may seem hard to believe.

You think games have a problem?

Take a look at Banks.

So, you've got an online bank bank account. You'd think you'd take good care of it.

73 percent of online bank customers use their bank password for at least one other online site.

47 percent actually use both their online banking user name and password for at least one other online site.

You wonder why phishing works so well?

If you let a user pick their username at a banking site, 65 percent will pick one that they use at another, non-financial, non-secure site.

Assign users their username? 45 percent will reuse that username somewhere else.

If its this bad for online banking. Think about how bad it is for online games.

Identity is a huge online problem. I devote a chapter to it in my book Protecting Games as well as numerous articles here.



M. Warwick (2010),"I bank online. Please rob me and steal my identity", http://www.telecomtv.com/comspace_newsDetail.aspx?n=45948&id=e9381817-0593-417a-8639-c4c53e2a2a10#

Scott Jennings and NCSoft have put out a good, thorough message on the state of the game's security issues.

The message was posted very early this morning (the 20th) and within the first couple of hours has been viewed almost 10,000 times.

People really care about the security of their accounts and their game.

Security messages on the site get a lot of visits (see stats at the bottom of Scott's message). The last message on account security, from December 24th has had over 131,000 views - far more than any other recent message thread.

It will be interesting to see if this is followed up with any press releases or interviews to the games media.

Hopefully, like Jagex, NCSoft will also pursue legal recourse against criminals who engage in account theft (a clear crime under computer security laws).

S. Jennings (2010), "GSU’s Message on Account Security", http://na.aiononline.com/board/notices/view?articleID=197&page=

via

S. Jennings (2010), "A Note From My Day Job", http://brokentoys.org/2010/01/19/a-note-from-my-day-job/

Marcus Eikenberry of MarkeeDragon has a 38 minute interview with "Patrick" - a young man who made between $10,000 and $20,000 over the course of one year of criminal scamming:



There are some fascinating details (here are my notes on the highlights):

3:00 Started in Eve Online / GoonSwarm

5:30 Scammed his own Eve Online Corporation as a Director (non GoonSwarm) stole 9B ISK in 2006

6:30 WoW Scam/Griefing casual every month of so

7:30 Lost his job and decided to sell his Eve Online Account.. he took the money and realized he didn't have to transfer the account - there was no protection for intangible items in PayPal Terms of Service - He made $750... used it for rent.

10:00 In order to "beat PayPal", he mailed piece of paper with invalid information... got through Paypal security and send the Shipping Tracking information (PERSONAL NOTE: my company used physical shipments to validate shipments of license keys to avoid fraud problems in 2003).

11:45 Scammers "networking" to develop tactics... Paypal changes and protect buyers, not sellers. Reverse scam to a "Buyer Scam": Buy Item, dispute sale, Resell the account quickly

13:30 Started identity theft ... used stolen name and SSN, to set up fraudulent paypal account tied to his Real bank account + fake ID (there is no cross verification of account names - Marcus is currently checking to see if this weakness still exists)...Patrick worked in HR as recruiter... had info of anyone who applied for a job at the company (IT IS SCARY HOW MANY PEOPLE HAVE ACCESS TO YOUR NAME AND SOCIAL SECURITY NUMBER) then close Paypal account quickly before they put in a dispute... age 21,22. Blames economy, desperation - rent & food problems.

16:30 - All you need to create a PayPal account is a name & SSN (and your own bank account)

16:50 - $10 to $20K in one year... was active for one year.

17:30 - Why he was not caught - only small transactions... keep it under $1000. Paypal "caught up with him" eventually - then he started using other peoples accounts.. that is why he stared ID theft (but they didn't validate account, see above)

19:00 - Paypal is so easy, much easier than direct deposit or wire transfer... a lot of scammers only do this (scamming) once.

20:00 - Last Scam / Biggest Scam - started getting scared. Meet girls "get them to love him" and use their Paypal account (or get them to set up a Paypal account). "Most interesting" found he actually liked the girl. Got a real job and paid her back. Realized what he was doing.

22;15 - Other most exciting was the first one. When you make over $500,... a "means to get by".

23:20 - Security advise... copy of drivers license & prove its actually the person... TrustWho works (NOTE: run by MarkeeDragon - 99.7%).. if they've never done any sales before on the site, don't trust them... reputation at sites is a problem if you haven't done a sale before... TrustWho really "ruined his (scam) business". He was not able to get TrustWho verified.

29:30 CraigsList is great place to scam people. Get 18 year olds with fresh money (after graduation).

30:50 - Successful transactions in past, get drivers license (repeat)... scary how many people have your drivers license and SSN

33:00 - Wrapup by Marcus Eikenberry - scamming women, HR attacks, name & SSN is all it takes

I'd echo Marcus' comments. The potential for abuse by people in Human Resources and customer service is truly frightening, especially in this economy. It is also disheartening how weak our financial authentication systems are.

Game accounts get hacked. Players lose their "stuff" and investment of time... and they take it very personally.

Marcus Eikenberry of MarkeeDragon has a video about the problem of players losing their accounts due to the account being hacked. He notes that most games basically shrug off the problem and "blame the player", though sometimes game operators will make an effort to "investigate" and "return" players items.

I've argued previously that game companies should be very aggressive about restoring player assets. There is a cost in terms of customer service associated with any sort of "investigation". If the game company does restore the assets, there is a huge amount of good will with the customer while if the items or other account assets are lost, the player may well just quit (both scenarios are discussed in the video - Blizzard gets credit for restoring some of the player's stuff).

The Customer Service Perspective

For a subscription game, this should be a no-brainer - just give the items back (at least the first time).

For a Free-to-Play game, this should almost be a no-brainer... anyone who has invested real money is much more likely to invest more.

For either case, if you are quesy about "disrupting the game economy" (PLEASE, one user or some small number of users?), charge a fee (I'd have 2 tiers - one for players who pay in advance for "account recovery" insurance and another for those who want their account fixed)....

... and I'd require them to buy a security token at the same time (I'd also give free restoration for players who use security tokens).

The Player Perspective

I see three options here that start with the same step:

1. Gather a petition list of players who have had their accounts looted in a specific game (include copies of trouble tickets, etc. for substantiation).

Option 1 - Call the Feds (with Friends) - With a large number of players, you can show a large implied dollar value lost (play time at minimum wage, current "resale" value of the accounts) and a large number of victims. The US is not taking identity theft nearly as seriously as it should. By putting together a big case, you've got something that can catch law enforcement's (and the media's) interest... as in the video... move yourself to the top of the pile.

Option 2 - Petition the Game Company - The Publicity Attack - large groups of people can get attention in a way individuals can't. If there are hundreds or thousands of victims, you can get the company's attention... the media can help a lot here.

Option 3 - Sue the Game Company - Players are spending a lot of money on these games and there is an implied level of service. With a large set of names, you may be able to form a class action suit, at a minimum with the goal of getting the company (and others) to change its practices. One lawsuit of this sort may cause a real change in the view of customer service for the industry.